Password Expiration

Issue

A local account that has a setting of Password never expires will override the Maximum Password Age setting in the Password policy in Group Policy, thereby enabling a user to keep the same password forever.

Also, the Password never expires setting will override the User must change password at next logon setting. When users are assigned new passwords by administrators or help desk operators, it is good practice to set the User must change password at next logon option to ensure the user sets a new password.

Solution

Any local accounts identified in the security report as having non-expiring passwords should be reviewed to determine why the option is set, and if it should be removed.

Instructions

To clear the Password never expires setting in Windows 2000 and Windows XP Professional

1. Click Start, point to Settings, and then click Control Panel.
2. Double-click Administrative Tools, and then double-click Computer Management.
3. Double-click the Local Users and Groups folder, and then click the Users folder.
4. In the right pane, double-click the account that you want to change.
5. In the Administrative Properties dialog box, clear the Password never expires check box.

To clear the Password never expires setting in Windows NT

1. Click Start, point to Programs, and then click Administrative Tools.
2. Click User Manager for Domains.
3. Under the User menu, click Select Domain, and then type the local computer name.
4. Double-click the account that you want to change.
5. In the User Properties dialog box, clear the Password never expires check box.

⌐ 2002 Microsoft Corporation. All rights reserved.